Skip to main content

Flowise EUVDEUVD-2026-38119

| CVE-2026-56276 MEDIUM
Improperly Controlled Modification of Dynamically-Determined Object Attributes (CWE-915)
2026-06-20 VulnCheck GHSA-qr8q-6c25-rppr
6.0
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
6.0 MEDIUM
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.3 MEDIUM

Network-accessible API requires a pre-obtained authenticated session (PR:L, AC:H); integrity impact is high via password hash overwrite; no confidentiality or availability impact applies.

3.1 AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N
4.0 AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Source Code Evidence Fetched
Jun 22, 2026 - 06:19 vuln.today
Analysis Generated
Jun 22, 2026 - 06:19 vuln.today
Patch available
Jun 20, 2026 - 17:16 EUVD

DescriptionCVE.org

Flowise before 3.1.2 contains a mass assignment vulnerability in the PUT /api/v1/user endpoint that allows authenticated users to directly modify the credential field without validation. Attackers can bypass password change verification and session invalidation by supplying a crafted password hash, establishing persistent account access after temporary session compromise.

AnalysisAI

Mass assignment in Flowise's PUT /api/v1/user endpoint (all versions before 3.1.2) allows an authenticated user to overwrite their own account's password hash by supplying a crafted credential field in the request body, entirely bypassing the intended old-password verification, hashing enforcement, and session-invalidation workflow. An attacker who first obtains a temporary session - via XSS, token theft, or session hijacking - can exploit this to establish permanent account persistence even after the legitimate session expires, with no knowledge of the current password required. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Acquire valid session via XSS or token interception
Delivery
Craft PUT /api/v1/user body with pre-computed credential hash
Exploit
Submit authenticated request to vulnerable endpoint
Execution
TypeORM merge overwrites password hash without verification
Persist
Attacker logs in with new credentials
Impact
Persistent account access established post-session expiry

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to hold a valid authenticated session for the target account - the controller enforces `currentUser.id !== id` which prevents any cross-user modification, strictly limiting this to self-account credential takeover. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 6.0 (AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N) accurately characterizes this as a moderate-severity, integrity-focused flaw. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has stolen a victim's Flowise session token - for instance by exploiting an XSS vulnerability in the Flowise interface or intercepting a token via an insecure channel - issues a crafted `PUT /api/v1/user` request containing the victim's user ID and a pre-computed bcrypt hash of an attacker-chosen password in the `credential` field. Because the server merges the entire request body onto the User entity without filtering, the victim's password hash is silently overwritten with no old-password check, no re-hashing, and no session invalidation triggered. …
Remediation Upgrade Flowise to version 3.1.2 or later (vendor-released patch: 3.1.2), which resolves the mass assignment flaw by introducing field filtering in the PUT /api/v1/user endpoint to block direct modification of sensitive entity fields such as `credential`. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2025-59528 CRITICAL POC
10.0 Sep 22

Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete

CVE-2025-8943 CRITICAL POC
9.8 Aug 14

Flowise versions before 3.0.1 allow unauthenticated access to the Custom MCPs feature, which is designed to execute OS c

CVE-2025-26319 CRITICAL POC
9.8 Mar 04

FlowiseAI Flowise version 2.2.6 contains an arbitrary file upload vulnerability in the /api/v1/attachments endpoint. Una

CVE-2025-58434 CRITICAL POC
9.8 Sep 12

Flowise is a drag & drop user interface to build a customized large language model flow. Rated critical severity (CVSS 9

CVE-2026-30821 CRITICAL POC
9.8 Mar 07

Unrestricted file upload in Flowise LLM workflow builder before 3.0.13 via /api/v1/attachments endpoint allows unauthent

CVE-2026-30824 CRITICAL POC
9.8 Mar 07

Missing authentication on NVD data endpoint in Flowise before 3.0.13 allows unauthenticated access to internal vulnerabi

CVE-2026-56274 HIGH POC
8.7 Jun 23

Remote code execution in Flowise before 3.1.2 allows any authenticated user (or API caller with chatflow view/update per

CVE-2026-30820 HIGH POC
8.8 Mar 07

Privilege escalation in Flowise versions prior to 3.0.13 allows authenticated users to bypass API authorization by spoof

CVE-2026-30823 HIGH POC
8.8 Mar 07

Flowise versions up to 3.0.13 is affected by authorization bypass through user-controlled key (CVSS 8.8).

CVE-2025-34267 HIGH POC
8.4 Oct 14

Authenticated remote code execution in FlowiseAI Flowise (v3.0.1 up to but not including 3.0.8, and later versions when

CVE-2024-8181 HIGH POC
8.1 Aug 27

An Authentication Bypass vulnerability exists in Flowise version 1.8.2. Rated high severity (CVSS 8.1), this vulnerabili

CVE-2026-30822 HIGH POC
7.7 Mar 07

Flowise versions up to 3.0.13 is affected by improperly controlled modification of dynamically-determined object attribu

Share

EUVD-2026-38119 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy